Son Of A Breach! Revisiting The Cybersecurity Theme
By now, we’re all aware of the considerable investment opportunities that have emerged alongside the internet: ecommerce, cryptocurrency, social media – the list goes on.
But where these (arguably) more positive aspects of the online world tend to court the lion’s share of attention, the investment proposition indirectly offered by one of its more objectively ‘dark’ sides is often overlooked.
The reality is, by next year, there will be three times as many networked devices around the world than human beings, according to a report from Cisco. And as this ‘surface area’ of global connectivity expands, so too will the scope of opportunities for cybercrime.
In fact, according to online security company Surfshark, UK victims of cybercrime have increased 17 times over in the past two decades. Meanwhile, figures from Bitkom Research released earlier this year found that cyber-attacks now impact an astonishing 90% of companies.
Increasingly pervasive attacks
It’s not just the number of attacks, either. It’s also the type. Public perception of cybercrime may be wedded to early 90s movies like “Hackers”. But while these code-based attacks on corporates no doubt still exist, the reality is that the cybercrime “industry” as a whole today has become far more sophisticated.
Perhaps most worryingly, individuals themselves are more at risk than ever, with their personal data and even their personal safety increasingly being targeted.
In 2022 alone, cyber-attacks on InterContinental Group, Uber, and Optus have compromised customer data. Likewise, it was only August this year when a ransomware group was alleged to have threatened to change the composition of some 1.6 million individuals’ water supplies during an extortion attempt.
This is an extreme example. Not to mention the fact that the validity of the claim was disputed by South Staffordshire Water, the victim of the attack. But what all of these points serve to demonstrate is that cybercrime is no longer something that happens to someone else, or to big businesses only.
The regulatory response
As a result, regulators are stepping in to ensure firms take adequate steps to safeguard themselves and their customers online. Just last month, the European Union unveiled a new “Cyber Resilience Act”, which introduces mandatory cybersecurity requirements for products with digital elements in an effort to protect consumers.
As our lives connect more and more via digital touchpoints, it seems likely that requirements – both from regulators and policymakers – for adequate cybersecurity measures will continue to grow too. In line with this, spending will have to increase significantly from today’s levels.
For context, a recent survey by KPMG discovered that 40% of UK CEOs believe a cyber-attack on their company is inevitable. That’s despite the fact that investment in UK cybersecurity companies surpassed a record £1 billion in 2021 – an increase of 25% on the previous year.
A wave of expenditure is expected to pour into the cybersecurity sector in the coming years. And it’ll be the highest quality security vendors that will be positioned to meet the growing quantity and diversity of demand for new solutions.
We’re already seeing a swell in cybersecurity M&A in the sector as some of the industry’s larger companies leverage their bountiful resources to shore up their offerings in preparation. Especially this year because 2022 has been a year where many prized assets have become available at discounts.
Perhaps the most high-profile acquisition this year has been Google’s $5.4 billion acquisition of Mandiant in September. Others include Broadcom’s $69.2 billion purchase of VMWare and Thoma Bravo’s $6.9 billion acquisition of Sailpoint. We’ve also seen KKR acquire Barracuda Networks for $4 billion and Vista Equity acquire Citrix for $17.1 billion.
Acquirers are attracted to cybersecurity in part due to how dynamic the industry is. Technology is constantly evolving as malicious actors and nation state-sponsored organisations attempt to exploit digital vulnerabilities and critical infrastructure. As a result, acquirers have also been willing to pay up extensively to acquire new capabilities that accelerate product roadmaps and capitalise on new markets and emerging trends.
M&A activity has also reached historical highs. Generally speaking M&A has been a good indicator of industry dynamism and the long-term potential of assets. And this year has been next to none in terms of cybersecurity M&A.
According to SecurityWeek, 234 cybersecurity M&A deals were identified between January 1, 2022 and June 30, 2022. If we continue at this pace, the number of deals for 2022 is going to exceed the 435 deals we saw in 2021 (itself an all-time high). Of these H1 2022 M&A deals, 195 involved companies in North America and 62 involved companies in Europe. Roughly two dozen deals involved firms based in Asia, Oceania and Latin America.
A thriving corporate M&A scene signals strong and healthy industry dynamics. It’s also an acknowledgement that investors view cybersecurity as a key industry. A recognition that these companies are a critical piece of our armoury in the war against cybercrime. And because cybercrime is here to stay our armoury will need to get stronger with time. And this too, as the world continues to digitise and open up new attack vectors for the world’s most nefarious gangs.
As cybercrime becomes more pervasive in the years ahead, the cybersecurity sector will have to rise to meet the challenge. This presents a long-term secular investment opportunity in the sector. Especially at a time where a market appears to be harshly undervaluing the future potential of cybersecurity assets.
CYBR: Rize Cybersecurity and Data Privacy UCITS ETF
 Cisco, “Connected devices will be 3x the global population by 2023, Cisco says”, February 2020. Available at: https://www.rcrwireless.com/20200218/internet-of-things/connected-devices-will-be-3x-the-global-population-by-2023-cisco-says
 The National News, “Cybercrime rate in the UK higher than last year than in other developed nations”, May 2022. Available at : https://www.thenationalnews.com/business/technology/2022/05/08/cyber-crime-rate-in-the-uk-higher-last-year-than-in-other-developed-nations/
 Info Security Magazine, “Hackers Admit Destroying InterContinental Hotels Group’s Data For Fun”, September 2022. Available at: https://www.infosecurity-magazine.com/news/hackers-destroying-ihgs-data-for/
 Forbes, “Uber Hack Update: Was Sensitive User Data Stolen & Did 2FA Open Door To Hacker?”, September 2022. Available at: https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted/
 The Guardian, “Customers’ personal data stolen as Optus suffers massive cyber-attack”, September 2022. Available at: https://www.theguardian.com/business/2022/sep/22/customers-personal-data-stolen-as-optus-suffers-massive-cyber-attack
 Sky News, “South Staffordshire Water says it was target of cyber-attack as criminals bungle extortion attempt”, August 2022. Available at: https://news.sky.com/story/south-staffordshire-water-says-it-was-target-of-cyber-attack-as-criminals-bungle-extortion-attempt-12674039
 European Commission, “New EU cybersecurity rules ensure more secure hardware and software products”, September 2022. Available at: https://digital-strategy.ec.europa.eu/en/news/new-eu-cybersecurity-rules-ensure-more-secure-hardware-and-software-products
 Entrust IT Europe, “UK CEOs Believe Cyber-Attacks Are Inevitable”, 2022. Available at: https://blog.entrustit.co.uk/uk-ceos-believe-cyber-attacks-are-inevitable
 UK Tech Magazine, “UK cybersecurity investment hit £1bn in 2021, revenues soared to £10bn”, February 2022. Available at: https://www.uktech.news/cybersecurity/uk-cybersecurity-investment-2021-20220217
 CSO Online, “Top cybersecurity M&A deals for 2022”, September 2022. Available at: https://www.csoonline.com/article/3646608/top-cybersecurity-manda-deals-for-2022.html
 Security Week, “SecurityWeek Analysis: Over 230 Cybersecurity M&A Deals Announced in First Half of 2022”, July 2022. Available at: https://www.securityweek.com/securityweek-analysis-over-230-cybersecurity-ma-deals-announced-first-half-2022